Cofense - Security Awareness Training & Email Threat Detection

Threat Actors Continue to Leverage Pandemic Relief Plans

Share This Article

“Phish Found in Environments Protected by SEGs” Microsoft

By Kyle Duncan, Cofense Phishing Defense Center

Threat actors continue to be a thorn in the side of business owners everywhere as evidenced in a recent phishing campaign observed by the Cofense Phishing Defense Center (PDC). With the effects of covid still disrupting lives and businesses, this campaign attempts to exploit anxieties of those anxiously awaiting government aid. Attackers pose as representatives of the United States Small Business Administration (SBA). By offering fake grant applications through illegitimate forms presented via Google Docs, these threat actors hope to sneak away with victims’ private information.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Figure 1 shows a suspiciously simple email that asks the recipient to submit a form to qualify for a government covid grant that will help their business. The threat actor uses the SBA logo to make the email appear legitimate, but there are some noticeable red flags. First, notice the domain of the sender ( This is not an official government email address, and the sender is not who they say they are. Looking at the actual body of the email, it should instantly puzzle a recipient who has received an unsolicited email from the government that offers a grant. At the bottom of the email the target is urged – in large, bold type – to download an attached PDF file to proceed.

Graphical user interface, text, application, email Description automatically generated

Figure 2: PDF Attachment

After downloading the PDF file seen in Figure 2, the target is presented with a relatively well-constructed document. There is a small paragraph about the grant program, and a “click to apply” hyperlink containing the shortened URL hXXps://bit[.]ly/3GPM2ud. One interesting thing to note is that the first phone number presented toward the bottom is a legitimate number for SBA customer service. Considering a phone call to that number would have verified to the target that this grant offer is fake, it can be assumed the threat actor included it just to make the message appear more legitimate at first glance.

Graphical user interface, text, application Description automatically generated

Figure 3: Phishing Page

Graphical user interface, application, Teams Description automatically generated